Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-08-2007, 06:57 AM
|
#1
|
Member
Registered: Dec 2003
Location: Spain
Distribution: Slackware 14.1 64bit - multilib
Posts: 148
Rep:
|
Possible SYN flooding?
I seem to be getting a few of these messages after upgrading to a 2.6.20 kernel and upgrading arno's firewall script.
Feb 8 12:51:56 gbnet kernel: possible SYN flooding on port 19516. Sending cookies.
Port 19516 is the port I use for Bittorrent.
Any ideas?
Regards,
Gregory Bowden
|
|
|
02-08-2007, 07:39 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
How many connections are we talking about ("netstat -ant | grep -c SYN_RECV")?
Does your firewall have any SYN checking in place (tcp --syn -> --limit-burst)?
Does the situation persist if you stop Bittorrent?
Does the situation persist if you (re)start Bittorrent with options like (or equiv to) --max_uploads, --max_initiate, --max_allow_in?
For background info here's the IETF Draft and a doc from Cisco (cuz it has pretty pictures). For more info see the LQ FAQ: Security references, post #2 "Netfilter, firewall, Iptables, Ipchains, DoS, DDoS".
|
|
|
02-08-2007, 08:01 AM
|
#3
|
Member
Registered: Dec 2003
Location: Spain
Distribution: Slackware 14.1 64bit - multilib
Posts: 148
Original Poster
Rep:
|
Thanks
Running the netstat command I get the follwoing:
Code:
13:57:05 root@gbnet:~# netstat -ant | grep -c SYN_RECV
8
These are my iptables rules i'm using for Bittorrent:
Code:
# Put any custom (iptables) rules here down below:
##################################################
# Bittorent
iptables -I INPUT 1 -i eth0 -p tcp --tcp-flags SYN,RST,ACK SYN --dport 19516 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p udp --dport 19517 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p tcp --tcp-flags SYN,RST,ACK SYN --dport 6881 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p udp --dport 6881 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p tcp --tcp-flags SYN,RST,ACK SYN --dport 6346 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p udp --dport 6346 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p tcp --tcp-flags SYN,RST,ACK SYN --dport 60500 -j ACCEPT
When I stop running KTorrent the Bittorrent application these messages stop.
Regards,
Gregory Bowden
|
|
|
02-08-2007, 08:15 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
OK. Three answered, one to go.
|
|
|
02-08-2007, 08:32 AM
|
#5
|
Member
Registered: Dec 2003
Location: Spain
Distribution: Slackware 14.1 64bit - multilib
Posts: 148
Original Poster
Rep:
|
Dear unSpawn,
I'm using KTorrent to download torrents, so I don't really know what options correspond with the ones you posted.
But I have max uploads set to 10, 150 connections per torrent and 300 connections globally. I'm also limiting the upload speed to 15KB/sec and download to 100KB/sec.
Last edited by gbowden; 02-08-2007 at 08:43 AM.
|
|
|
02-08-2007, 08:41 AM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
Heh, I said "or equivalent". I don't know, *you* run that application so you have the docs.
|
|
|
02-08-2007, 08:49 AM
|
#7
|
Member
Registered: Dec 2003
Location: Spain
Distribution: Slackware 14.1 64bit - multilib
Posts: 148
Original Poster
Rep:
|
Ok I seem to have found the problem.
Once I deleted the torrent I thought was causing the problem the messages just stopped appearing.
Thanks for your help.
Regards,
Gregory Bowden
|
|
|
02-08-2007, 09:16 AM
|
#8
|
Moderator
Registered: May 2001
Posts: 29,415
|
NP. You found the cause but I still have no idea why it did excessive SYN's. Could you post some specs about that particular torrent? Like what the tracker (s) it's on, does it do peerless as well, any clue that helps would be welcome. Else if you think sharing the .torrent could help, contact me by email and I'll have a look.
|
|
|
All times are GMT -5. The time now is 12:20 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|